Integrating Cisco Identity Services Engine (ISE) with Active Directory (AD) is crucial for enhancing network security and simplifying access management. This guide covers everything you need to know about Cisco ISE integration with Active Directory, providing a clear path to successful ISE AD integration for a more secure and streamlined network.
Cisco ISE Integration with Active Directory – Configuration
Step 1> Define the logical name and domain details.
Navigate to Administration > Identity management > External Identity Sources and Click on Active Directory.
Enter the details. A joint point name can be anything, Under the “active directory domain” enter the domain name in which we want to join ISE.
Step 2> Enter domain credential to perform join operation
Select the Cisco ise node you want to join to the active directory and click on join. Usually, we join all the nodes to AD.
Enter the Ad credential to join the domain controller and click ok. The credentials should have proper permission to perform the join operation.
The account needs three types of permissions:
- Join permission – Create a machine account, Search the machine account, and Set the attribute of the machine account.
- Leave Operation: Search machine account, Delete machine account.
- Change the password of own machine account, Search for users and machine accounts, and Search for Groups.
Clicking on the error message can show the details of any issue.
A successful join operation is shown below.
ISE Active Directory group – Configuration
Step 3> Select the active directory group for use in Cisco ISE.
Pull group from AD (Active Directory). To use the groups in policies we need to select the group. Navigate to the Groups tab and click add, Select search from Directory:
Search the required group click on Retrieve Groups select the desired group, click ok and Save
Cisco ISE Integration With AD – Verification
After integrating Cisco ISE with Active Directory, it’s important to confirm the setup is working correctly. The test user feature in Cisco ISE allows you to do this easily.
The testing can be done without credentials by setting the authentication type to lookup. The output will display the information about the test user.
For other post related to ISE visit blog. For official document visit Cisco website.